TWI585612B - Managing use of a field programmable gate array with isolated components - Google Patents
Managing use of a field programmable gate array with isolated components Download PDFInfo
- Publication number
- TWI585612B TWI585612B TW102121920A TW102121920A TWI585612B TW I585612 B TWI585612 B TW I585612B TW 102121920 A TW102121920 A TW 102121920A TW 102121920 A TW102121920 A TW 102121920A TW I585612 B TWI585612 B TW I585612B
- Authority
- TW
- Taiwan
- Prior art keywords
- fpga
- memory
- encrypted
- data
- program
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/76—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in application-specific integrated circuits [ASIC] or field-programmable devices, e.g. field-programmable gate arrays [FPGA] or programmable logic devices [PLD]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
- Logic Circuits (AREA)
Description
本發明係關於管理具有隔離元件的現場可程式設計閘陣列的使用。 The present invention relates to the use of a field programmable gate array having isolation elements.
在大多數通用電腦內,作業系統是管理對電腦內資源的存取的主要軟體。主要資源是執行被設計成在電腦上執行的應用程式的中央處理單元(CPU)、主記憶體和儲存器。在一些電腦體系結構中,可出現附加的處理單元(諸如處理器中的多個核)及/或附加的處理器(稱為協調處理器)。此種協調處理器的實例包括圖形處理單元(GPU)和數位訊號處理器(DSP)。作業系統亦管理多個程序對該等資源的存取。 In most general-purpose computers, the operating system is the primary software that manages access to resources within the computer. The primary resource is the central processing unit (CPU), main memory, and storage that execute the application designed to execute on the computer. In some computer architectures, additional processing units (such as multiple cores in a processor) and/or additional processors (referred to as coordination processors) may be present. Examples of such coordination processors include a graphics processing unit (GPU) and a digital signal processor (DSP). The operating system also manages access by multiple programs to these resources.
現場可程式設計閘陣列(FPGA)是一種通常被用在專用計算裝置中的邏輯裝置。FPGA通常被用於執行此閘陣列尤其適用於的特定的、專用的功能。FPGA通常位於周邊裝置或其他專用硬體(諸如連接到諸如PCI匯流排的系統匯流排並經由該系統匯流排被存取的印刷電路板)中。一般而言,此 種裝置被程式設計一次並被使用多次。因為該等裝置是可程式設計的,相比於其他專用邏輯裝置,該等裝置具有能被在現場更新的優勢。 A Field Programmable Gate Array (FPGA) is a type of logic device commonly used in dedicated computing devices. FPGAs are typically used to perform specific, dedicated functions that are particularly suitable for this gate array. The FPGA is typically located in a peripheral device or other dedicated hardware such as a printed circuit board that is connected to and accessed via a system bus such as a PCI bus. In general, this The device was programmed once and used multiple times. Because such devices are programmable, they have the advantage of being able to be updated in the field compared to other dedicated logic devices.
提供本發明內容以便以簡化形式介紹將在以下具體實施方式中進一步描述的一些概念。本發明內容並不意欲識別所主張之標的的關鍵特徵或必要特徵,亦不意欲用於限制所主張之標的的範圍。 This Summary is provided to introduce a selection of concepts in the <RTIgt; The summary is not intended to identify key features or essential features of the claimed subject matter, and is not intended to limit the scope of the claimed subject matter.
一或多個現場可程式設計閘陣列(FPGA)能在通用計算系統中用作共用可程式設計協調處理器資源。FPGA能被程式設計來執行功能,該等功能進而能與一或多個程序相關聯。在多個程序的情況下,FPGA能被共享,並且程序能在存取FPGA的時間間隙期間被分配到FPGA的至少一個部分。用硬體描述語言所寫的用於程式設計FPGA的程式被用作硬體庫。作業系統對以下進行管理:將FPGA資源配置到程序、根據要由程序使用FPGA來執行的功能來程式設計該FPGA,以及對該等程序對FPGA的使用進行排程。 One or more field programmable gate arrays (FPGAs) can be used as shared programmable coordination processor resources in general purpose computing systems. FPGAs can be programmed to perform functions that in turn can be associated with one or more programs. In the case of multiple programs, the FPGA can be shared and the program can be allocated to at least a portion of the FPGA during the time gap in which the FPGA is accessed. A program written in a hardware description language for programming an FPGA is used as a hardware library. The operating system manages the following: configuring FPGA resources into programs, programming the FPGAs according to the functions to be performed by the program using the FPGA, and scheduling the use of the FPGAs by the programs.
若FPGA被用作通用計算平臺的元件,則其可能容易受到不安全代碼的攻擊和執行。例如,對資料傳輸和記憶體的檢查可能暴露與安全操作相關的金鑰、演算法和其他資訊。為了提升安全性,FPGA的各個元件被隔離來保護FPGA以及FPGA和電腦系統的其他元件之間傳輸的資料。 If an FPGA is used as a component of a general purpose computing platform, it may be vulnerable to attack and execution by unsafe code. For example, inspections of data transfers and memory may expose keys, algorithms, and other information related to security operations. To improve security, the various components of the FPGA are isolated to protect the data transmitted between the FPGA and other components of the FPGA and computer system.
例如,由FPGA寫入到記憶體的資料被加密,並在從記憶體中讀回時在FPGA中被解密。在FPGA和諸如CPU或GPU 等其他元件之間傳輸的資料(無論是直接地或經由記憶體的)可使用為通訊元件所知的密碼金鑰(無論是使用共用秘密金鑰亦是公共/私有金鑰對)來被類似地加密。被傳輸的資料亦可由FPGA或其他元件來數位地簽名以提供認證。用於程式設計FPGA的代碼可由作者來加密並簽名、以被加密的狀態載入到FPGA中並接著在用該代碼程式設計FPGA之前由FPGA自己來解密和認證。 For example, data written to the memory by the FPGA is encrypted and decrypted in the FPGA when read back from memory. On FPGAs and such as CPU or GPU Data transmitted between other components (either directly or via memory) can be similar to a cryptographic key known to the communication component (whether using a shared secret key or a public/private key pair). Ground encryption. The transmitted material can also be digitally signed by an FPGA or other component to provide authentication. The code used to program the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself before the FPGA is programmed with the code.
在以下描述中,對附圖進行了參考,附圖構成了實施方式的一部分且在其中作為示例圖示本發明技術的具體示例實現。可以理解,可以使用其他實施例並且可以做出結構上的改變而不背離本發明的範圍。 In the following description, reference is made to the accompanying drawings, in which It is understood that other embodiments may be utilized and structural changes may be made without departing from the scope of the invention.
100‧‧‧計算裝置 100‧‧‧ computing device
102‧‧‧處理單元 102‧‧‧Processing unit
104‧‧‧記憶體 104‧‧‧ memory
106‧‧‧虛線 106‧‧‧dotted line
108‧‧‧可移除式儲存器 108‧‧‧Removable storage
110‧‧‧不可移除式儲存器 110‧‧‧ Non-removable storage
112‧‧‧通訊連接 112‧‧‧Communication connection
114‧‧‧輸入裝置 114‧‧‧Input device
116‧‧‧輸出裝置 116‧‧‧Output device
120‧‧‧FPGA單元 120‧‧‧FPGA unit
200‧‧‧功能單元 200‧‧‧ functional unit
202‧‧‧功能單元 202‧‧‧Functional unit
204‧‧‧功能單元 204‧‧‧Functional unit
206‧‧‧功能單元 206‧‧‧Functional unit
300‧‧‧應用程式 300‧‧‧Application
302‧‧‧軟體庫 302‧‧‧Software Library
304‧‧‧FPGA硬體庫 304‧‧‧FPGA hardware library
306‧‧‧作業系統 306‧‧‧Operating system
308‧‧‧CPU 308‧‧‧CPU
310‧‧‧FPGA資源 310‧‧‧FPGA Resources
400‧‧‧功能單元 400‧‧‧ functional unit
402‧‧‧功能單元 402‧‧‧Functional unit
404‧‧‧功能單元 404‧‧‧Functional unit
500‧‧‧電腦系統 500‧‧‧ computer system
502‧‧‧現場可程式設計閘陣列 502‧‧‧Field programmable gate array
504‧‧‧記憶體 504‧‧‧ memory
506‧‧‧中央處理單元 506‧‧‧Central Processing Unit
508‧‧‧圖形處理單元 508‧‧‧Graphic Processing Unit
510‧‧‧高速電腦匯流排 510‧‧‧High speed computer bus
600‧‧‧FPGA 600‧‧‧FPGA
602‧‧‧輸入/輸出記憶體 602‧‧‧Input/Output Memory
604‧‧‧經加密的資料 604‧‧‧Encrypted data
605‧‧‧解密模組 605‧‧‧ decryption module
606‧‧‧經加密的金鑰 606‧‧‧Encrypted Keys
608‧‧‧解密模組 608‧‧‧ decryption module
610‧‧‧經解密的金鑰 610‧‧‧decrypted key
612‧‧‧暫存器 612‧‧ ‧ register
614‧‧‧經解密的資料 614‧‧‧Declassified information
616‧‧‧記憶體 616‧‧‧ memory
620‧‧‧資料 620‧‧‧Information
622‧‧‧加密模組 622‧‧‧Encryption Module
626‧‧‧加密模組 626‧‧‧Encryption Module
630‧‧‧可程式設計元件 630‧‧‧Programmable components
632‧‧‧控制電路 632‧‧‧Control circuit
700‧‧‧接收步驟 700‧‧‧Receiving steps
702‧‧‧解密步驟 702‧‧‧Decryption steps
704‧‧‧接收步驟 704‧‧‧ Receiving steps
706‧‧‧解密步驟 706‧‧‧Decryption steps
708‧‧‧儲存步驟 708‧‧‧Storage steps
710‧‧‧設計步驟 710‧‧‧Design steps
圖1是對其作業系統能被實現的具有FPGA資源的示例計算系統的方塊圖。 1 is a block diagram of an example computing system with FPGA resources that can be implemented for its operating system.
圖2是FPGA功能單元的說明性實例的示意圖。 2 is a schematic diagram of an illustrative example of an FPGA functional unit.
圖3是使用具有FPGA資源的電腦系統上的硬體和軟體庫的應用程式的示例體系結構的示意圖。 3 is a schematic diagram of an example architecture of an application using hardware and software libraries on a computer system with FPGA resources.
圖4是圖示隨著時間的對FPGA使用的圖。 4 is a diagram illustrating the use of an FPGA over time.
圖5是具有支援隔離元件的現場可程式設計閘陣列的計算系統的方塊圖。 5 is a block diagram of a computing system having a field programmable gate array that supports isolation elements.
圖6是現場可程式設計閘陣列的更詳細的方塊圖。 Figure 6 is a more detailed block diagram of a field programmable gate array.
圖7是描述安全地程式設計FPGA的流程圖。 Figure 7 is a flow chart depicting the secure programming of an FPGA.
以下部分提供了對示例計算環境的簡要的、一般的 描述,在該示例計算環境中能實現用於管理對FPGA資源的使用的作業系統。該系統可以用眾多通用或專用計算裝置來實現。適合的公知計算裝置的實例包括但不限於:個人電腦、伺服器電腦、掌上型或膝上型裝置(例如,媒體播放機、筆記型電腦、蜂巢式電話、個人資料助理、語音記錄器)、多處理器系統、基於微處理器的系統、機上盒、遊戲控制臺、可程式設計消費電子產品、網路PC、小型機、大型電腦、包括以上系統或裝置的任一個的分散式運算環境等等。 The following sections provide a brief, general view of the sample computing environment. It is described that an operating system for managing the use of FPGA resources can be implemented in the example computing environment. The system can be implemented with a variety of general purpose or special purpose computing devices. Examples of suitable well-known computing devices include, but are not limited to, personal computers, server computers, palm-sized or laptop devices (eg, media players, notebook computers, cellular phones, personal data assistants, voice recorders), Multiprocessor systems, microprocessor-based systems, set-top boxes, game consoles, programmable consumer electronics, network PCs, minicomputers, large computers, distributed computing environments including any of the above systems or devices and many more.
圖1僅僅圖示示例計算環境,並不意欲對適合的計算環境的使用範圍或功能提出任何限制。 FIG. 1 merely illustrates an example computing environment and is not intended to suggest any limitation as to the scope of use or functionality of a suitable computing environment.
參考圖1,示例計算環境包括計算裝置100。在一個基本配置中,計算裝置100包括至少一個處理單元102(諸如通用電腦的典型中央處理單元(CPU))和記憶體104。 Referring to FIG. 1, an example computing environment includes computing device 100. In one basic configuration, computing device 100 includes at least one processing unit 102 (such as a typical central processing unit (CPU) of a general purpose computer) and memory 104.
計算裝置可包括多個處理單元及/或附加的協調處理單元,諸如圖形處理單元(GPU)。計算裝置亦包括一或多個現場可程式設計閘陣列(FPGA),該閘陣列被表示為可用作共用(在執行在電腦上的程序間共用)的協調處理資源的FPGA單元120。FPGA可位於其自己的CPU插孔中或位於分開的被插入到擴充槽(諸如快速周邊部件互連(PCI-E)槽)中的卡上。藉由提供此種FPGA單元,能在得到硬體加速的益處的情況下實現各種非常適合於閘陣列來實現的功能。 The computing device can include a plurality of processing units and/or additional coordination processing units, such as a graphics processing unit (GPU). The computing device also includes one or more field programmable gate arrays (FPGAs) that are represented as FPGA units 120 that can be used to share processing resources (shared between programs executing on a computer). The FPGA can be located in its own CPU jack or on a separate card that is inserted into an expansion slot, such as a Fast Peripheral Component Interconnect (PCI-E) slot. By providing such an FPGA unit, a variety of functions well suited for implementation of the gate array can be realized with the benefit of hardware acceleration.
取決於處理單元和FPGA單元的配置,該單元或單元內的每個功能單元具有相關聯的輸入/輸出通道來用於與主作業系統程序進行通訊。例如,能提供專用於該功能單元並在 其與使用該功能單元的程序之間共享的記憶體區域。一種請求佇列和回應佇列亦能被用於使得能夠實現在FPGA單元內實現的操作的非同步呼叫。此外,FPGA單元中的功能單元針對程序的狀態能被保存到用於該功能單元和該程序的記憶體區域並從該記憶體區域中還原。或者,其他技術能被用於確保功能單元在被其程序使用前處於已知狀態。 Depending on the configuration of the processing unit and the FPGA unit, each functional unit within the unit or unit has an associated input/output channel for communicating with the main operating system program. For example, can provide dedicated to the functional unit and A memory area shared between it and a program that uses the functional unit. A request queue and a response queue can also be used to enable asynchronous calls that implement operations within the FPGA unit. In addition, the state of the function unit in the FPGA unit can be saved to and restored from the memory area for the function unit and the program. Alternatively, other techniques can be used to ensure that the functional unit is in a known state before being used by its program.
取決於計算裝置的配置和類型,記憶體104可以是揮發性的(諸如RAM)、非揮發性的(諸如ROM、快閃記憶體等)或是兩者的某種組合。處理單元、協調處理器和記憶體的該配置在圖1中用虛線106圖示。 Depending on the configuration and type of computing device, memory 104 may be volatile (such as RAM), non-volatile (such as ROM, flash memory, etc.) or some combination of the two. This configuration of processing unit, coordination processor, and memory is illustrated in FIG. 1 by dashed line 106.
計算裝置100亦可具有附加的資源和裝置。例如,計算裝置100亦可包含附加儲存器(可移除及/或不可移除),包括但不限於磁碟、光碟或磁帶。在圖1中藉由可移除式儲存器108和不可移除式儲存器110圖示此種附加儲存。電腦儲存媒體包括以用於儲存諸如電腦程式指令、資料檔案、資料結構、程式模組或其他資料等資訊的任何方法或技術實現的揮發性和非揮發性、可移除和不可移除媒體。記憶體104、可移除式儲存器108和不可移除式儲存器110全部皆是電腦儲存媒體的實例。電腦儲存媒體包括但不限於,RAM、ROM、EEPROM、快閃記憶體或其他記憶體技術、CD-ROM、數位多功能光碟(DVD)或其他光儲存、磁帶盒、磁帶、磁碟儲存器或其他磁存放裝置,或者可用於儲存所需資訊並且可由計算裝置100存取的任何其他媒體。任何此種電腦儲存媒體皆可以是計算裝置100的一部分。 Computing device 100 may also have additional resources and devices. For example, computing device 100 may also include additional storage (removable and/or non-removable) including, but not limited to, a magnetic disk, a optical disk, or a magnetic tape. Such additional storage is illustrated in FIG. 1 by removable storage 108 and non-removable storage 110. Computer storage media includes volatile and non-volatile, removable and non-removable media implemented by any method or technology for storage of information such as computer program instructions, data files, data structures, program modules or other materials. The memory 104, the removable storage 108, and the non-removable storage 110 are all examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, tape cartridge, magnetic tape, disk storage or Other magnetic storage devices, or any other medium that can be used to store the desired information and be accessible by computing device 100. Any such computer storage media may be part of computing device 100.
計算裝置100亦可包括通訊連接112,其允許裝置藉由通訊媒體與其他裝置進行通訊。通訊連接112的實現是取決於正由計算裝置存取的通訊媒體的種類,此情況是因為通訊連接112的實現提供了對此種媒體的介面以允許經由該通訊媒體的資料的傳輸和/接收。通訊媒體通常承載諸如載波或其他傳輸機制等已調制資料信號中的電腦程式指令、資料檔案、資料結構、程式模組或其他資料,並包括任何資訊傳遞媒體。術語「已調制資料信號」指其一或多個特徵以此種方式設置或改變以便在信號中對資訊進行編碼的信號。作為實例而非限制,通訊媒體包括諸如有線網路或直接線連接之類的有線媒體,以及諸如聲學、RF、紅外及其他無線媒體之類的無線媒體。 Computing device 100 can also include a communication connection 112 that allows the device to communicate with other devices via a communication medium. The implementation of communication connection 112 is dependent on the type of communication medium being accessed by the computing device, as is the case that the implementation of communication connection 112 provides an interface to such media to allow transmission and/or reception of data via the communication medium. . Communication media typically carries computer program instructions, data files, data structures, program modules or other materials in modulated data signals such as carrier waves or other transmission mechanisms, and includes any information delivery media. The term "modulated data signal" means a signal in which one or more of its characteristics are set or changed in such a manner as to encode information in the signal. By way of example and not limitation, communication media includes wired media such as a wired network or direct connection, and wireless media such as acoustic, RF, infrared, and other wireless media.
計算裝置100可具有各種輸入裝置114,如鍵盤、滑鼠、筆、相機、觸摸輸入裝置等。亦可包括諸如顯示器、揚聲器、印表機等輸出裝置116。所有該等裝置在本領域中是公知的並且不必在此詳細論述。 Computing device 100 can have various input devices 114 such as a keyboard, mouse, pen, camera, touch input device, and the like. Output devices 116 such as a display, a speaker, a printer, etc., may also be included. All such devices are well known in the art and need not be discussed in detail herein.
使用由計算裝置處理的諸如程式模組等電腦可執行指令及/或電腦解釋的指令來實現在計算裝置上執行的應用程式。一般而言,程式模組包括在由處理單元處理時指示處理單元執行特定任務或實現特定抽象資料類型的常式、程式、物件、元件、資料結構等等。在分散式運算環境中,此種任務能由經由通訊網路連結的遠端處理裝置來執行。在分散式運算環境中,程式模組可以位於包括記憶體存放裝置在內的本端和遠端電腦儲存媒體中。 The application executing on the computing device is implemented using computer executable instructions, such as program modules, processed by the computing device and/or interpreted by the computer. In general, a program module includes routines, programs, objects, components, data structures, and the like that, when processed by a processing unit, instruct a processing unit to perform a particular task or implement a particular abstract data type. In a decentralized computing environment, such tasks can be performed by remote processing devices that are coupled via a communications network. In a distributed computing environment, the program module can be located in the local and remote computer storage media including the memory storage device.
在計算裝置上執行的作業系統管理程序對計算裝置的各種資源的存取。通常,在電腦系統上執行應用程式導致一或多個程序被建立,其中每個程序隨著時間被分配到不同的資源。若資源在程序間共用,並且若程序不能併發地共享資源,則作業系統隨著時間排程對資源的存取。此種資源之一是圖1的FPGA單元120,其可包括一或多個個別的FPGA。 Access to various resources of the computing device by the operating system manager executing on the computing device. Typically, executing an application on a computer system results in one or more programs being created, each of which is assigned to a different resource over time. If resources are shared between programs, and if the program cannot share resources concurrently, the operating system schedules access to the resources over time. One such resource is the FPGA unit 120 of Figure 1, which may include one or more individual FPGAs.
參考圖2,FPGA單元內的資源之一是一組或多組可程式設計閘,在此稱為功能單元。每個功能單元藉由一組閘及/或閘陣列中的其他資源來定義。一般而言,功能單元是不重疊的,亦即,不共用閘陣列中的可程式設計元件。例如,如圖2中示意地圖示的,功能單元200、202、204和206是不重疊的。大多數FPGA只有一個功能單元。然而,圖1中的FPGA單元120可具有一或多個FPGA。在多個FPGA的情況下,每個FPGA可被視為功能單元。參考圖3,每個功能單元是以下資源:其能被分配給一或多個程序、被作業系統使用實現一操作的硬體庫來程式設計並接著被分配給其的程序用於執行該操作。參考圖3,作為一個實例,應用程式300可使用習知的軟體庫302以及FPGA硬體庫304來執行各種操作。若應用程式依賴硬體庫304,則作業系統306使用該硬體庫來程式設計FPGA資源310以允許應用程式300使用庫。FPGA可在應用程式開始執行之前被程式設計。若FPGA可被足夠快地重新程式設計,則庫可在作業系統的排程量子(quantum)內被載入到FPGA中。作業系統306亦執行來自應用300和CPU 308上的軟體庫302的軟體命令。當應用作出對由軟體庫執行的功能的呼 叫時,作業系統執行來自CPU 308上的軟體庫的功能。當應用程式作出對由FPGA執行的功能的呼叫時,作業系統確保FPGA是使用硬體庫來程式設計的並使用FPGA來執行功能。 Referring to Figure 2, one of the resources within the FPGA unit is one or more sets of programmable gates, referred to herein as functional units. Each functional unit is defined by a set of other resources in the gate and/or gate array. In general, the functional units are non-overlapping, that is, the programmable elements in the gate array are not shared. For example, as schematically illustrated in FIG. 2, functional units 200, 202, 204, and 206 are non-overlapping. Most FPGAs have only one functional unit. However, FPGA unit 120 in FIG. 1 may have one or more FPGAs. In the case of multiple FPGAs, each FPGA can be considered a functional unit. Referring to FIG. 3, each functional unit is a resource that can be assigned to one or more programs, programmed by the operating system using a hardware library that implements an operation, and then assigned to the program for performing the operation. . Referring to FIG. 3, as an example, application 300 can perform various operations using conventional software library 302 and FPGA hardware library 304. If the application relies on the hardware library 304, the operating system 306 uses the hardware library to program the FPGA resources 310 to allow the application 300 to use the library. The FPGA can be programmed before the application begins execution. If the FPGA can be reprogrammed fast enough, the library can be loaded into the FPGA within the scheduling quantum of the operating system. Operating system 306 also executes software commands from application 300 and software library 302 on CPU 308. When the application makes a call to the function performed by the software library When called, the operating system performs functions from the software library on the CPU 308. When an application makes a call to a function performed by the FPGA, the operating system ensures that the FPGA is programmed with a hardware library and uses the FPGA to perform functions.
為了圖示不同的功能單元能隨著時間如何被使用,現在參考圖4。在圖4中,在時間T1,使用功能單元400和402。在時間T2,使用功能單元400和404。在時間T3,再次使用功能單元400和402。在時間T1,功能單元400能被分配給程序P1,而功能單元402能被分配給程序P2。在時間T2,程序P2可能是不活動的,而程序P1能使用功能單元400並且程序P3能使用功能單元404。在時間T3,另一程序(諸如程序P4)能開始使用功能單元400;並且程序P2能再次活動來使用功能單元402。藉由當前的FPGA實現,在同一時間由不同的程序對多個功能單元的使用暗示多個FPGA的使用。就FPGA能支援由不同的程序在同一時間使用的多個功能單元而言,該等功能單元能在同一FPGA上。實際上,作業系統在時間和空間方面在統計學上多工FPGA。 To illustrate how different functional units can be used over time, reference is now made to FIG. In Figure 4, at time T1, functional units 400 and 402 are used. At time T2, functional units 400 and 404 are used. At time T3, functional units 400 and 402 are used again. At time T1, functional unit 400 can be assigned to program P1, and functional unit 402 can be assigned to program P2. At time T2, program P2 may be inactive, while program P1 can use functional unit 400 and program P3 can use functional unit 404. At time T3, another program (such as program P4) can begin to use functional unit 400; and program P2 can be active again to use functional unit 402. With current FPGA implementations, the use of multiple functional units by different programs at the same time implies the use of multiple FPGAs. Insofar as the FPGA can support multiple functional units that are used by different programs at the same time, the functional units can be on the same FPGA. In fact, the operating system is statistically multiplexed in time and space.
為了允許此種隨著時間由不同的程序對FPGA資源的使用,作業系統具有排程器,該排程器決定在每個排程量子(亦即,時間段)哪個程序能存取FPGA資源以及何時FPGA功能單元將用硬體庫來程式設計使得功能單元可用於由該程序使用。由此,用於FPGA單元的排程器的實現部分地取決於FPGA單元的性質以及其包括的一或多個FPGA。要考慮的與FPGA有關的因素包括但不限於以下。例如,在一些情況下,若一個功能單元不能獨立於其他功能單元而被程式設計,則 整個FPGA要被刷新來程式設計功能單元。另一考慮是功能單元能被程式設計的速度以及功能單元的程式設計是否阻止其他功能單元在程式設計階段期間被使用。要考慮的另一因素是程序是否能藉由共用功能單元來共用硬體庫。排程器亦考慮諸如以下的因素:併發程序的數量、應用程式效能保證、應用程式的優先順序、程序上下文切換花費、對記憶體和匯流排的存取以及在沒有功能單元在FPGA單元中可用的情況下軟體庫的可用性。 In order to allow such use of FPGA resources by different programs over time, the operating system has a scheduler that determines which program can access the FPGA resources in each scheduling quantum (ie, time period) and When the FPGA functional unit is programmed with a hardware library, the functional unit can be used by the program. Thus, the implementation of the scheduler for the FPGA unit depends in part on the nature of the FPGA unit and the one or more FPGAs it includes. The FPGA-related factors to consider include, but are not limited to, the following. For example, in some cases, if a functional unit cannot be programmed independently of other functional units, then The entire FPGA is refreshed to program the functional unit. Another consideration is whether the speed at which the functional unit can be programmed and the programming of the functional unit prevent other functional units from being used during the programming phase. Another factor to consider is whether the program can share the hardware library by sharing functional units. The scheduler also considers factors such as the number of concurrent programs, application performance guarantees, application prioritization, program context switching costs, access to memory and busses, and the availability of functional units in the FPGA unit. The availability of the software library in the case.
可以存在其他情況,其中FPGA單元向應用程式或作業系統提供通用設施,FPGA單元因此被排程用於應用程式產生實體的長度。例如,定製網路協定或卸載可作為FPGA單元上的加速服務來提供。相反,一般在通用CPU中執行的系統呼叫或標準庫呼叫能使用FPGA來被加速。此外,作業系統能基於程序優先順序的偏好來多工CPU。在另一情況中,作業系統能使用應用程式的簡檔(統計地或動態地產生)來預測最適合於在FPGA單元上執行的功能並接著預先載入該功能,使得該功能可用於排程。藉由將簡檔用作嚮導,作業系統能確保空間和時間均在FPGA單元上可用來加速應用程式。最終,作業系統能使用來自應用程式的簡單提示來知道何時在FPGA單元上排程時間。例如,某些到作業系統內的呼叫(系統呼叫)可指示長的延遲(對磁碟或網路的呼叫),該呼叫提供了FPGA單元能閒置某一時間量來供其他執行緒或程序使用的提示。因此,作業系統使用各種提示和偏好來建立對多工對FPGA單元的存取的排程。由於作業系統控制排程器,因此 該作業系統具有關於正在執行和即將到來的工作、可用的硬體庫以及在程式設計FPGA所花費的時間的詳細知識。因此,該作業系統能使用該知識來決定在執行期間哪些程序利用FPGA。 There may be other situations where the FPGA unit provides a common facility to the application or operating system, and the FPGA unit is therefore scheduled for the length of the application generation entity. For example, a custom network protocol or offload can be provided as an acceleration service on an FPGA unit. In contrast, system calls or standard library calls typically performed in a general purpose CPU can be accelerated using an FPGA. In addition, the operating system can multiplex CPUs based on preferences of program prioritization. In another case, the operating system can use the application's profile (statistically or dynamically generated) to predict the function that is best suited for execution on the FPGA unit and then preload the function so that the function is available for scheduling . By using the profile as a guide, the operating system ensures that both space and time are available on the FPGA unit to speed up the application. Ultimately, the operating system can use simple hints from the application to know when to schedule time on the FPGA unit. For example, some calls to the operating system (system calls) can indicate long delays (calls to disk or network) that provide the FPGA unit to idle for a certain amount of time for other threads or programs to use. Tips. Therefore, the operating system uses various hints and preferences to establish a schedule for multiplex access to the FPGA unit. Because the operating system controls the scheduler, The operating system has detailed knowledge about ongoing and upcoming work, available hardware libraries, and the time spent in programming the FPGA. Therefore, the operating system can use this knowledge to determine which programs utilize the FPGA during execution.
現在已經描述了此種電腦體系結構的一般概覽,現在將描述示例實現。 A general overview of such a computer architecture has now been described, and an example implementation will now be described.
參考圖5,圖示了使用具有隔離元件的現場可程式設計閘陣列502的電腦系統500的一般體系結構。在該實例中,FPGA連接到記憶體504、中央處理單元506和圖形處理單元508。此種連接是經由習知的高速電腦匯流排510來提供的,諸如具有超傳輸匯流排的CPU插孔、PCI、PCI-E或PCI-X匯流排。 Referring to Figure 5, a general architecture of a computer system 500 using a field programmable gate array 502 having isolation elements is illustrated. In this example, the FPGA is coupled to memory 504, central processing unit 506, and graphics processing unit 508. Such connections are provided via conventional high speed computer bus 510, such as a CPU jack with a super-transmission bus, PCI, PCI-E, or PCI-X bus.
現場可程式設計閘陣列可包括一或多個暫存器,該一或多個暫存器包括密碼金鑰(諸如對稱金鑰或公共/私有金鑰對)。該一或多個暫存器亦包括使用彼等金鑰來執行對應的密碼操作的能力。密碼元件可以是對FPGA的可程式設計元件進行程式設計的一部分。該等元件可用對策(countermeasure)來實現以增加對晶片進行直接分析(諸如能使用可信賴平臺模組(TPM)元件來實現)的難度。 The field programmable gate array can include one or more registers including a cryptographic key (such as a symmetric key or a public/private key pair). The one or more registers also include the ability to use their keys to perform corresponding cryptographic operations. The cryptographic component can be part of the programming of the FPGA's programmable components. These components can be implemented with countermeasures to increase the difficulty of direct analysis of the wafer, such as the use of Trusted Platform Module (TPM) components.
在一個實現中,密碼金鑰能被儲存在TPM元件中,其中FPGA僅能在金鑰被使用時從該TPM元件中載入此種金鑰。若TPM能存取由FPGA持有的公共/私有對中的公共金鑰,則TPM能使用FPGA的公共金鑰來加密TPM對FPGA所持有的金鑰。由此,金鑰本身只在從TPM傳送到FPGA之後被解密。 此種配置允許被加密的金鑰經由不安全的匯流排(諸如標準PC高速互連)來傳送。 In one implementation, the cryptographic key can be stored in the TPM component, where the FPGA can only load such a key from the TPM component when the key is used. If the TPM can access the public key of the public/private pair held by the FPGA, the TPM can use the public key of the FPGA to encrypt the key held by the TPM to the FPGA. Thus, the key itself is only decrypted after being transferred from the TPM to the FPGA. This configuration allows the encrypted key to be transmitted via an insecure bus, such as a standard PC high speed interconnect.
藉由以下方式在FPGA 502和主記憶體505之間建立邏輯通道:在所有資料離開FPGA之前用對稱金鑰對所有資料進行加密,將經加密的資料儲存在主記憶體中。隨後,當經加密的資料從主記憶體讀回到FPGA中時,用FPGA內的對稱金鑰對經加密的資料進行解密。在一個實現中,對資料的加密亦可包括完整性保護。例如,可使用用於對稱密碼的經認證的加密操作模式。作為另一實例,資料可被雜湊並且雜湊值可被附加到該資料,並接著具有附加的雜湊值的資料能在被寫入到主記憶體之前被加密。 A logical channel is established between the FPGA 502 and the main memory 505 by encrypting all data with a symmetric key before all data leaves the FPGA, and storing the encrypted data in the main memory. Subsequently, when the encrypted material is read back from the main memory back into the FPGA, the encrypted data is decrypted using the symmetric key within the FPGA. In one implementation, encryption of the data may also include integrity protection. For example, an authenticated cryptographic mode of operation for symmetric ciphers can be used. As another example, the material can be hashed and the hash value can be appended to the material, and then the data with the additional hash value can be encrypted before being written to the main memory.
經由相互認證和金鑰傳輸協定,在FPGA 502和圖形處理單元(GPU)508或其他元件(諸如CPU或周邊裝置)之間建立邏輯通道。在此種情況下,FPGA使用公開金鑰/私密金鑰對來向元件(例如,GPU)認證自己,並且該元件使用第二公開金鑰/私密金鑰對(其中私密金鑰僅僅為GPU所知)來完成此舉。作為相互認證程序的一部分,FPGA和GPU建立一或多個共用秘密(例如,兩個共用秘密,一個用於完整性保護而一個用於機密性)。該等共用秘密接著被用於作為FPGA和GPU之間安全通信期的一部分,對此兩個元件之間隨後的通訊進行加密和認證。 A logical channel is established between the FPGA 502 and a graphics processing unit (GPU) 508 or other component, such as a CPU or peripheral device, via mutual authentication and key transfer protocols. In this case, the FPGA authenticates itself to the component (eg, GPU) using the public/private key pair, and the component uses the second public/private key pair (where the private key is known only to the GPU) ) to complete the move. As part of the mutual authentication process, the FPGA and GPU establish one or more shared secrets (eg, two shared secrets, one for integrity protection and one for confidentiality). These shared secrets are then used as part of the secure communication period between the FPGA and the GPU to encrypt and authenticate subsequent communications between the two components.
現在參考圖6,現在圖示了提供隔離元件的現場可程式設計閘陣列的更多細節。 Referring now to Figure 6, a more detailed view of a field programmable gate array providing isolation elements is now illustrated.
FPGA 600包括輸入/輸出記憶體602,經加密的資料 604和經加密的金鑰606經由該記憶體來傳輸。 FPGA 600 includes input/output memory 602, encrypted data 604 and the encrypted key 606 are transmitted via the memory.
當被從其他裝置接收到經加密的資料604時,該經加密的資料藉由解密模組605(其可實現例如對稱金鑰密碼操作)被解密。在一些情況下,經加密的金鑰606(其可由解密模組605使用)被接收並藉由解密模組608(其可實現例如公開金鑰/私密金鑰密碼操作)來解密。經解密的金鑰610可被儲存在暫存器612中。在其他情況下,經解密的資料614可被儲存在記憶體616中。 When encrypted material 604 is received from other devices, the encrypted data is decrypted by decryption module 605 (which may implement, for example, a symmetric key cryptographic operation). In some cases, the encrypted key 606 (which may be used by the decryption module 605) is received and decrypted by a decryption module 608 (which may implement, for example, a public key/private key cryptographic operation). The decrypted key 610 can be stored in the scratchpad 612. In other cases, the decrypted material 614 can be stored in the memory 616.
當傳輸到其他裝置時,資料620(諸如從記憶體616)由加密模組622(其可實現例如對稱金鑰密碼操作)加密以提供經加密的資料604。加密模組622可使用儲存在暫存器612中的金鑰610。在一些情況下,加密模組626(其可實現例如公開金鑰/私密金鑰密碼操作)可對加密模組622使用的金鑰610進行加密以作為經加密的金鑰606來傳輸。經加密的資料604和金鑰606可在傳輸到電腦系統內的另一元件(諸如記憶體、GPU、CPU、周邊卡或其他裝置)之前被儲存在記憶體602中。 When transmitted to other devices, material 620 (such as from memory 616) is encrypted by encryption module 622 (which may implement, for example, symmetric key cryptographic operations) to provide encrypted material 604. The encryption module 622 can use the key 610 stored in the register 612. In some cases, encryption module 626 (which may implement, for example, a public key/private key cryptographic operation) may encrypt key 610 used by encryption module 622 for transmission as encrypted key 606. Encrypted material 604 and key 606 may be stored in memory 602 prior to transmission to another component within the computer system, such as a memory, GPU, CPU, peripheral card, or other device.
記憶體616一般可由FPGA的可程式設計元件630來存取以用於對資料的讀取和寫入兩者。有可能具有一些僅僅能被可程式設計元件讀取但不能被修改的暫存器。 Memory 616 is generally accessible by programmable component 630 of the FPGA for both reading and writing of data. It is possible to have some registers that can only be read by the programmable component but cannot be modified.
在記憶體616中接收到的資料亦可以是用於程式設計FPGA單元的功能單元的程式設計代碼。控制電路632從記憶體616中讀取程式設計代碼並對可程式設計元件630進行程式設計。如將在以下更加詳細描述的,此種結構允許經加密 和簽名的代碼被安全地下載到FPGA,在FPGA處代碼被認證和解密,接著被用於程式設計FPGA。 The data received in the memory 616 can also be the programming code for programming the functional units of the FPGA unit. Control circuit 632 reads the programming code from memory 616 and programs programmable component 630. This structure allows for encryption as will be described in more detail below. The signed code is safely downloaded to the FPGA where the code is authenticated and decrypted and then used to program the FPGA.
在一些實現中,可使用FPGA的可程式設計元件來實現解密模組和加密模組中的各種密碼操作。 In some implementations, the programmable components of the FPGA can be used to implement various cryptographic operations in the decryption module and the cryptographic module.
在給定此種結構的情況下,FPGA可在其自身和電腦系統內的其他元件之間安全地傳輸資料,此舉是因為資料在所有可存取的匯流排上被加密。 Given this configuration, the FPGA can securely transfer data between itself and other components within the computer system because the data is encrypted on all accessible busses.
例如,為了將資料傳輸到其他元件,FPGA在FPGA內加密資料。經加密的資料接著被傳輸到主記憶體或被直接傳輸到組件。 For example, to transfer data to other components, the FPGA encrypts the data within the FPGA. The encrypted data is then transferred to the main memory or directly to the component.
若該元件是FPGA自己,則經加密的資料從主記憶體中讀回到FPGA,並且用FPGA內部的金鑰和密碼操作來對經加密的資料進行解密。在該實例中,FPGA將主記憶體用作附加的記憶體。 If the component is the FPGA itself, the encrypted data is read back from the main memory back to the FPGA, and the encrypted data is decrypted using the internal key and cryptographic operations of the FPGA. In this example, the FPGA uses the main memory as an additional memory.
FPGA可使用主記憶體來將資料傳輸到其他元件。在該實例中,其他元件從記憶體中讀取經加密的資料並解密該資料。由此,CPU、GPU或其他元件亦包括類似於FPGA中使用的加密/解密模組。 The FPGA can use the main memory to transfer data to other components. In this example, other components read the encrypted material from memory and decrypt the data. Thus, the CPU, GPU or other components also include encryption/decryption modules similar to those used in FPGAs.
類似地,其他元件可將資料直接地傳輸到FPGA或藉由記憶體來傳輸到FPGA。其他元件對資料進行加密並將資料傳輸到記憶體或FPGA。FPGA接著從記憶體中讀取資料或接收資料,並接著解密資料。 Similarly, other components can transfer data directly to the FPGA or to the FPGA via memory. Other components encrypt the data and transfer the data to a memory or FPGA. The FPGA then reads the data from the memory or receives the data and then decrypts the data.
若解密使用共用秘密,則該秘密亦可直接地從FPGA傳輸到該元件或經由記憶體傳輸到該元件(或可能已經藉由 該元件傳輸到FPGA)。共用秘密的傳輸可使用公開金鑰/私密金鑰加密來執行以保護該秘密。具體而言,為了提供相互認證,FPGA使用公開金鑰/私密金鑰對來向元件(例如,GPU)認證自己,並且該元件使用具有僅僅為GPU所知的私密金鑰的第二公開金鑰/私密金鑰對來完成此舉。 If the decryption uses a shared secret, the secret may also be transmitted directly from the FPGA to the component or via memory to the component (or may have been This component is transferred to the FPGA). The transmission of the shared secret can be performed using public key/private key encryption to protect the secret. Specifically, to provide mutual authentication, the FPGA authenticates itself to the component (eg, GPU) using a public/private key pair, and the component uses a second public key with a private key known only to the GPU/ The private key pair completes the move.
作為相互認證程序的一部分,FPGA和GPU建立一或多個共用秘密(例如,兩個共用秘密,一個用於完整性保護而一個用於機密性)。該等共用秘密接著被用於作為FPGA和GPU之間安全通信期的一部分,對此兩個元件之間隨後的通訊進行加密和認證。 As part of the mutual authentication process, the FPGA and GPU establish one or more shared secrets (eg, two shared secrets, one for integrity protection and one for confidentiality). These shared secrets are then used as part of the secure communication period between the FPGA and the GPU to encrypt and authenticate subsequent communications between the two components.
作為另一實例,在圖7中圖示的,現在描述用於對FPGA進行安全地程式設計的程序。 As another example, illustrated in Figure 7, a procedure for securely programming an FPGA is now described.
一般而言,安全地程式設計FPGA涉及將經加密的程式設計邏輯接收到記憶體中。經加密的程式邏輯在現場可程式設計閘陣列中被解密並被解密到FPGA中的記憶體中。接著使用經解密的程式邏輯來對現場可程式設計閘陣列的可程式設計元件進行程式設計。 In general, securely programming an FPGA involves receiving encrypted programming logic into memory. The encrypted program logic is decrypted in the field programmable gate array and decrypted into the memory in the FPGA. The decrypted program logic is then used to program the programmable components of the field programmable gate array.
如圖7中圖示的,由於程式邏輯意欲實現密碼操作,因此所期望的是,確保經加密的程式邏輯是經認證的。例如,經加密的程式邏輯可使用認證加密協定來加密,或者經加密的程式邏輯可包括對未經加密的程式邏輯的數位簽章。在一個實現中,經加密的程式邏輯可使用對稱金鑰來加密,該對稱金鑰用FPGA的公開金鑰來加密並亦由受信源以FPGA能夠密碼地驗證的方式來數位地簽名。 As illustrated in Figure 7, since the program logic is intended to implement cryptographic operations, it is desirable to ensure that the encrypted program logic is authenticated. For example, the encrypted program logic can be encrypted using an authentication encryption protocol, or the encrypted program logic can include a digital signature for unencrypted program logic. In one implementation, the encrypted program logic can be encrypted using a symmetric key that is encrypted with the public key of the FPGA and also digitally signed by the trusted source in a manner that the FPGA can cryptographically verify.
FPGA接收700經加密的對稱金鑰。FPGA使用自己的私密金鑰解密702該對稱金鑰,並使用受信源的公開金鑰認證該對稱金鑰。FPGA接著接收704該經加密的程式邏輯。FPGA使用經解密的對稱金鑰解密706該經加密的程式邏輯,並將該經解密的程式邏輯暫時儲存708在FPGA中的記憶體中,在此處該經加密的程式邏輯被控制邏輯用於程式設計710 FPGA的可程式設計元件。 The FPGA receives 700 encrypted symmetric keys. The FPGA decrypts 702 the symmetric key using its own private key and authenticates the symmetric key using the public key of the trusted source. The FPGA then receives 704 the encrypted program logic. The FPGA decrypts 706 the encrypted program logic using the decrypted symmetric key and temporarily stores the decrypted program logic 708 in memory in the FPGA where the encrypted program logic is used by the control logic Programming 710 FPGA's programmable components.
在所附請求項的主題中的術語「製品」、「程序」、「機器」和「物質組成」意欲將請求項限制到被認為落入專利法中的該等術語的使用所定義的可被專利保護的標的的範圍內。 The terms "article", "program", "machine" and "substance composition" in the subject matter of the appended claims are intended to limit the claim to the definition of the use of such terms that are considered to fall within the patent law. Within the scope of the patent protection.
上文中提到的此處描述的替換實施方式中的任一者或全部可以按形成附加混合實施方式所需的任何組合使用。應該理解,在所附請求項中定義的標的沒有必要限於上述的特定實現。上述特定實現僅作為例子被揭示。 Any or all of the alternative embodiments described herein mentioned above may be used in any combination required to form additional hybrid embodiments. It should be understood that the subject matter defined in the appended claims is not necessarily limited to the specific implementations described above. The specific implementations above are disclosed as examples only.
600‧‧‧FPGA 600‧‧‧FPGA
602‧‧‧輸入/輸出記憶體 602‧‧‧Input/Output Memory
604‧‧‧經加密的資料 604‧‧‧Encrypted data
605‧‧‧解密模組 605‧‧‧ decryption module
606‧‧‧經加密的金鑰 606‧‧‧Encrypted Keys
608‧‧‧解密模組 608‧‧‧ decryption module
610‧‧‧經解密的金鑰 610‧‧‧decrypted key
612‧‧‧暫存器 612‧‧ ‧ register
614‧‧‧經解密的資料 614‧‧‧Declassified information
616‧‧‧記憶體 616‧‧‧ memory
620‧‧‧資料 620‧‧‧Information
622‧‧‧加密模組 622‧‧‧Encryption Module
626‧‧‧加密模組 626‧‧‧Encryption Module
630‧‧‧可程式設計元件 630‧‧‧Programmable components
632‧‧‧控制電路 632‧‧‧Control circuit
Claims (19)
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/528,400 US9230091B2 (en) | 2012-06-20 | 2012-06-20 | Managing use of a field programmable gate array with isolated components |
Publications (2)
Publication Number | Publication Date |
---|---|
TW201413490A TW201413490A (en) | 2014-04-01 |
TWI585612B true TWI585612B (en) | 2017-06-01 |
Family
ID=48901161
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW102121920A TWI585612B (en) | 2012-06-20 | 2013-06-20 | Managing use of a field programmable gate array with isolated components |
Country Status (4)
Country | Link |
---|---|
US (1) | US9230091B2 (en) |
CN (2) | CN108595985A (en) |
TW (1) | TWI585612B (en) |
WO (1) | WO2013192448A1 (en) |
Families Citing this family (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9424019B2 (en) | 2012-06-20 | 2016-08-23 | Microsoft Technology Licensing, Llc | Updating hardware libraries for use by applications on a computer system with an FPGA coprocessor |
US8898480B2 (en) | 2012-06-20 | 2014-11-25 | Microsoft Corporation | Managing use of a field programmable gate array with reprogammable cryptographic operations |
US9298438B2 (en) * | 2012-06-20 | 2016-03-29 | Microsoft Technology Licensing, Llc | Profiling application code to identify code portions for FPGA implementation |
US8873747B2 (en) | 2012-09-25 | 2014-10-28 | Apple Inc. | Key management using security enclave processor |
CN104035890B (en) * | 2014-06-11 | 2017-02-15 | 丽水博远科技有限公司 | Static random access memory based programmable gate array chip encryption method and system |
US9547778B1 (en) | 2014-09-26 | 2017-01-17 | Apple Inc. | Secure public key acceleration |
US9507526B2 (en) | 2014-11-14 | 2016-11-29 | Netapp, Inc. | Just-in time remote data storage allocation |
US9703973B2 (en) | 2015-04-28 | 2017-07-11 | International Business Machines Corporation | Customer load of field programmable gate arrays |
US9847980B2 (en) | 2015-06-17 | 2017-12-19 | Microsoft Technology Licensing, Llc | Protecting communications with hardware accelerators for increased workflow security |
US10038552B2 (en) * | 2015-11-30 | 2018-07-31 | Honeywell International Inc. | Embedded security architecture for process control systems |
US10257189B2 (en) * | 2016-05-24 | 2019-04-09 | Microsoft Technology Licensing, Llc | Using hardware based secure isolated region to prevent piracy and cheating on electronic devices |
US10250572B2 (en) * | 2016-09-29 | 2019-04-02 | Amazon Technologies, Inc. | Logic repository service using encrypted configuration data |
US10540506B2 (en) | 2017-01-12 | 2020-01-21 | Microsoft Technology Licensing, Llc | Field-programmable gate array virtualization |
US10404470B2 (en) * | 2017-01-13 | 2019-09-03 | Microsoft Technology Licensing, Llc | Signature verification of field-programmable gate array programs |
CN106708777A (en) * | 2017-01-23 | 2017-05-24 | 张军 | Multi-core heterogeneous CPU - CPU - FPGA architecture |
CN107122243B (en) * | 2017-04-12 | 2018-07-24 | 浙江远算云计算有限公司 | The method of Heterogeneous Cluster Environment and calculating CFD tasks for CFD simulation calculations |
CN107329449B (en) * | 2017-06-26 | 2020-11-10 | 中交一航局安装工程有限公司 | Creation method of PLC plug-and-play module based on AB system |
CN108491724A (en) * | 2018-03-13 | 2018-09-04 | 山东超越数控电子股份有限公司 | A kind of hardware based computer interface encryption device and method |
WO2019217931A1 (en) | 2018-05-11 | 2019-11-14 | Lattice Semiconductor Corporation | Asset management systems and methods for programmable logic devices |
CN110717203B (en) * | 2019-09-25 | 2021-04-27 | 支付宝(杭州)信息技术有限公司 | Method and device for realizing privacy block chain based on FPGA |
CN110716724B (en) * | 2019-09-25 | 2021-01-08 | 支付宝(杭州)信息技术有限公司 | Method and device for realizing privacy block chain based on FPGA |
CN110955525B (en) * | 2019-12-05 | 2022-12-20 | 广东省新一代通信与网络创新研究院 | Network definition storage method, network definition reading method and network definition reading system based on FPGA (field programmable Gate array) equipment |
CN111814207A (en) * | 2020-06-10 | 2020-10-23 | 深圳市中网信安技术有限公司 | On-site programmable gate array data processing method and device and readable storage medium |
CN111859253B (en) * | 2020-07-08 | 2023-09-22 | 上海雪湖科技有限公司 | FPGA-based high-order wave equation solving method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20010043082A1 (en) * | 1999-02-25 | 2001-11-22 | Xilink, Inc. | Logic/memory circuit having a plurality of operating modes |
US6907126B2 (en) * | 2000-04-19 | 2005-06-14 | Nec Corporation | Encryption-decryption apparatus |
US20070074045A1 (en) * | 2002-09-30 | 2007-03-29 | Van Essen Brian C | Method of securing programmable logic configuration data |
US20100202239A1 (en) * | 2009-02-11 | 2010-08-12 | Stec, Inc. | Staged-backup flash backed dram module |
US8065517B2 (en) * | 2007-11-01 | 2011-11-22 | Infineon Technologies Ag | Method and system for transferring information to a device |
Family Cites Families (57)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5748979A (en) | 1995-04-05 | 1998-05-05 | Xilinx Inc | Reprogrammable instruction set accelerator using a plurality of programmable execution units and an instruction page table |
US5752035A (en) | 1995-04-05 | 1998-05-12 | Xilinx, Inc. | Method for compiling and executing programs for reprogrammable instruction set accelerator |
JP3627384B2 (en) | 1996-01-17 | 2005-03-09 | 富士ゼロックス株式会社 | Information processing apparatus with software protection function and information processing method with software protection function |
US6078736A (en) | 1997-08-28 | 2000-06-20 | Xilinx, Inc. | Method of designing FPGAs for dynamically reconfigurable computing |
US7085670B2 (en) | 1998-02-17 | 2006-08-01 | National Instruments Corporation | Reconfigurable measurement system utilizing a programmable hardware element and fixed hardware resources |
GB2352548B (en) | 1999-07-26 | 2001-06-06 | Sun Microsystems Inc | Method and apparatus for executing standard functions in a computer system |
US7752419B1 (en) | 2001-03-22 | 2010-07-06 | Qst Holdings, Llc | Method and system for managing hardware resources to implement system functions using an adaptive computing architecture |
WO2002082267A1 (en) | 2001-04-06 | 2002-10-17 | Wind River Systems, Inc. | Fpga coprocessing system |
US6754881B2 (en) | 2001-12-10 | 2004-06-22 | International Business Machines Corporation | Field programmable network processor and method for customizing a network processor |
US6941538B2 (en) | 2002-02-22 | 2005-09-06 | Xilinx, Inc. | Method and system for integrating cores in FPGA-based system-on-chip (SoC) |
US7386717B2 (en) * | 2002-03-07 | 2008-06-10 | Intel Corporation | Method and system for accelerating the conversion process between encryption schemes |
US7162644B1 (en) | 2002-03-29 | 2007-01-09 | Xilinx, Inc. | Methods and circuits for protecting proprietary configuration data for programmable logic devices |
US7073158B2 (en) | 2002-05-17 | 2006-07-04 | Pixel Velocity, Inc. | Automated system for designing and developing field programmable gate arrays |
GB0304628D0 (en) | 2003-02-28 | 2003-04-02 | Imec Inter Uni Micro Electr | Method for hardware-software multitasking on a reconfigurable computing platform |
WO2004010320A2 (en) | 2002-07-23 | 2004-01-29 | Gatechance Technologies, Inc. | Pipelined reconfigurable dynamic instruciton set processor |
US7260794B2 (en) | 2002-12-20 | 2007-08-21 | Quickturn Design Systems, Inc. | Logic multiprocessor for FPGA implementation |
US7028283B1 (en) | 2003-01-30 | 2006-04-11 | Xilinx, Inc. | Method of using a hardware library in a programmable logic device |
US7124391B1 (en) | 2003-04-30 | 2006-10-17 | Xilinx, Inc. | Method and apparatus for dynamically connecting modules in a programmable logic device |
US20040230934A1 (en) | 2003-05-15 | 2004-11-18 | Taylor Richard David | System and method for emulating systems with multiple field programmable gate arrays |
US7366652B2 (en) | 2003-06-16 | 2008-04-29 | Springsoft, Inc. | Method of programming a co-verification system |
CN2650231Y (en) * | 2003-09-26 | 2004-10-20 | 北京华旗资讯数码科技有限公司 | Storage unit with optimized compression management mechanism |
WO2005086746A2 (en) | 2004-03-04 | 2005-09-22 | Trustees Of Boston University | Programmable-logic acceleraton of data processing applications |
US7975062B2 (en) | 2004-06-07 | 2011-07-05 | Sling Media, Inc. | Capturing and sharing media content |
US20060059373A1 (en) * | 2004-09-10 | 2006-03-16 | International Business Machines Corporation | Integrated circuit chip for encryption and decryption using instructions supplied through a secure interface |
WO2006071380A2 (en) | 2004-11-12 | 2006-07-06 | Pufco, Inc. | Securely field configurable device |
US7386708B2 (en) | 2005-01-13 | 2008-06-10 | Lenovo (Singapore) Pte Ltd. | Secure hardware personalization service |
US7788502B1 (en) | 2005-03-10 | 2010-08-31 | Xilinx, Inc. | Method and system for secure exchange of IP cores |
WO2007067894A2 (en) | 2005-12-05 | 2007-06-14 | National Instruments Corporation | Implementing a design flow for a programmable hardware element that includes or is coupled to a processor |
US20080104601A1 (en) | 2006-10-26 | 2008-05-01 | Nokia Corporation | Scheduler for multiple software tasks to share reconfigurable hardware |
KR100883655B1 (en) | 2006-12-04 | 2009-02-18 | 삼성전자주식회사 | System and method for switching context in reconfigurable processor |
EP1930834A1 (en) | 2006-12-05 | 2008-06-11 | Siemens Schweiz AG | Cryptographically secured processor system |
US7908476B2 (en) | 2007-01-10 | 2011-03-15 | International Business Machines Corporation | Virtualization of file system encryption |
US7870223B2 (en) | 2007-02-27 | 2011-01-11 | Rockwell Automation Technologies, Inc. | Services associated with an industrial environment employing controller engine instances |
US8621008B2 (en) | 2007-04-26 | 2013-12-31 | Mcafee, Inc. | System, method and computer program product for performing an action based on an aspect of an electronic mail message thread |
US20090119503A1 (en) * | 2007-11-06 | 2009-05-07 | L3 Communications Corporation | Secure programmable hardware component |
US8620996B2 (en) | 2007-11-19 | 2013-12-31 | Motorola Mobility Llc | Method and apparatus for determining a group preference in a social network |
US8612409B2 (en) | 2007-12-18 | 2013-12-17 | Yahoo! Inc. | Method and apparatus for detecting and explaining bursty stream events in targeted groups |
US8627052B2 (en) | 2008-04-14 | 2014-01-07 | Dell Products, Lp | System and method of enabling a function within a module configured to be used within an information handling system |
US8533663B2 (en) | 2008-05-12 | 2013-09-10 | Oracle America, Inc. | System and method for utilizing available best effort hardware mechanisms for supporting transactional memory |
US20090288076A1 (en) | 2008-05-16 | 2009-11-19 | Mark Rogers Johnson | Managing Updates In A Virtual File System |
US20090293051A1 (en) | 2008-05-22 | 2009-11-26 | Fortinet, Inc., A Delaware Corporation | Monitoring and dynamic tuning of target system performance |
FR2935078B1 (en) | 2008-08-12 | 2012-11-16 | Groupe Des Ecoles De Telecommunications Get Ecole Nationale Superieure Des Telecommunications Enst | METHOD OF PROTECTING THE DECRYPTION OF CONFIGURATION FILES OF PROGRAMMABLE LOGIC CIRCUITS AND CIRCUIT USING THE METHOD |
CN101782893B (en) | 2009-01-21 | 2014-12-24 | 上海芯豪微电子有限公司 | Reconfigurable data processing platform |
US8448122B1 (en) | 2009-04-01 | 2013-05-21 | Xilinx, Inc. | Implementing sub-circuits with predictable behavior within a circuit design |
US8369460B1 (en) | 2009-05-18 | 2013-02-05 | The United States Of America As Represented By The Secretary Of The Army | Reduced complexity constellation pattern recognition and classification method |
US8620967B2 (en) | 2009-06-11 | 2013-12-31 | Rovi Technologies Corporation | Managing metadata for occurrences of a recording |
US8332795B2 (en) | 2009-12-15 | 2012-12-11 | Apple Inc. | Automated pin multiplexing for programmable logic device implementation of integrated circuit design |
US8368423B2 (en) | 2009-12-23 | 2013-02-05 | L-3 Communications Integrated Systems, L.P. | Heterogeneous computer architecture based on partial reconfiguration |
CN101789866B (en) * | 2010-02-03 | 2012-06-13 | 国家保密科学技术研究所 | High-reliability safety isolation and information exchange method |
US8417965B1 (en) * | 2010-04-07 | 2013-04-09 | Xilinx, Inc. | Method and circuit for secure definition and integration of cores |
US8516268B2 (en) | 2010-08-23 | 2013-08-20 | Raytheon Company | Secure field-programmable gate array (FPGA) architecture |
CA2719653A1 (en) | 2010-11-05 | 2011-01-18 | Ibm Canada Limited - Ibm Canada Limitee | Partial inlining with software based restart |
CN102324006B (en) | 2011-09-06 | 2014-01-29 | 四川九洲电器集团有限责任公司 | Processor program safety protection device and method |
CN102377564B (en) | 2011-11-15 | 2015-03-11 | 华为技术有限公司 | Method and device for encrypting private key |
US9298438B2 (en) | 2012-06-20 | 2016-03-29 | Microsoft Technology Licensing, Llc | Profiling application code to identify code portions for FPGA implementation |
US20130346985A1 (en) | 2012-06-20 | 2013-12-26 | Microsoft Corporation | Managing use of a field programmable gate array by multiple processes in an operating system |
US9424019B2 (en) | 2012-06-20 | 2016-08-23 | Microsoft Technology Licensing, Llc | Updating hardware libraries for use by applications on a computer system with an FPGA coprocessor |
-
2012
- 2012-06-20 US US13/528,400 patent/US9230091B2/en active Active
-
2013
- 2013-06-20 CN CN201810426090.9A patent/CN108595985A/en active Pending
- 2013-06-20 CN CN201310248192.3A patent/CN103488958A/en active Pending
- 2013-06-20 WO PCT/US2013/046881 patent/WO2013192448A1/en active Application Filing
- 2013-06-20 TW TW102121920A patent/TWI585612B/en not_active IP Right Cessation
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20010043082A1 (en) * | 1999-02-25 | 2001-11-22 | Xilink, Inc. | Logic/memory circuit having a plurality of operating modes |
US6907126B2 (en) * | 2000-04-19 | 2005-06-14 | Nec Corporation | Encryption-decryption apparatus |
US20070074045A1 (en) * | 2002-09-30 | 2007-03-29 | Van Essen Brian C | Method of securing programmable logic configuration data |
US8065517B2 (en) * | 2007-11-01 | 2011-11-22 | Infineon Technologies Ag | Method and system for transferring information to a device |
US20100202239A1 (en) * | 2009-02-11 | 2010-08-12 | Stec, Inc. | Staged-backup flash backed dram module |
Also Published As
Publication number | Publication date |
---|---|
WO2013192448A1 (en) | 2013-12-27 |
US20130346758A1 (en) | 2013-12-26 |
US9230091B2 (en) | 2016-01-05 |
TW201413490A (en) | 2014-04-01 |
CN103488958A (en) | 2014-01-01 |
CN108595985A (en) | 2018-09-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TWI585612B (en) | Managing use of a field programmable gate array with isolated components | |
TWI569169B (en) | Managing use of a field programmable gate array with reprogrammable cryptographic operations | |
US10708051B2 (en) | Controlled access to data in a sandboxed environment | |
US11531758B2 (en) | Provision of domains in secure enclave to support multiple users | |
US20190182052A1 (en) | Techniques to secure computation data in a computing environment | |
CN103069428B (en) | Secure virtual machine in insincere cloud infrastructure guides | |
JP7009393B2 (en) | Use hardware-based secure isolated areas to prevent piracy and fraud on electronic devices | |
WO2019218919A1 (en) | Private key management method and apparatus in blockchain scenario, and system | |
US20200104528A1 (en) | Data processing method, device and system | |
US11457354B2 (en) | System and method to securely broadcast a message to accelerators | |
US11455432B1 (en) | Multi-user storage volume encryption via secure processor | |
JP6756056B2 (en) | Cryptographic chip by identity verification | |
US11411934B2 (en) | System and method to securely broadcast a message to accelerators with switch | |
CN112953886B (en) | System and method for securely broadcasting messages to accelerators using virtual channels with switches | |
KR102565414B1 (en) | Data transmission with obfuscation using an obfuscation unit for a data processing(dp) accelerator | |
US11516010B2 (en) | System and method to securely broadcast a message to accelerators using virtual channels | |
WO2022249293A1 (en) | Control method, control program, information processing system, and information processing device | |
US11647013B1 (en) | Encryption of data via public key cryptography with certificate verification of target | |
US11722299B1 (en) | Spatially-bound cryptographic storage | |
Hong et al. | FASTEN: An FPGA |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
MM4A | Annulment or lapse of patent due to non-payment of fees |